[Samba] Using Force Group with AD Group

Rowland Penny rpenny at samba.org
Mon Sep 26 07:06:02 UTC 2022



On 26/09/2022 07:32, Matthias Kühne | Ellerhold AG via samba wrote:
> Hello,
> 
> force group = DOMAIN\Domain Group
> 
> Each operation on this share will now behave as if the connecting user
> has this group. So no more group-based ACL. If you want to share certain
> folders via group-permission - this gives everybody the group (even
> those that do not have them in the AD) and gives them access or denies
> it to them. Even more so this group will be the primary group of the
> user during the connection.
> 
> So everybody can access this share now because it behaves as if the user
> has this group.
> 
> force group = +DOMAIN\Domain Group
> 
> If the connecting user has this group (either directly or inherited) it
> will set this to be their _primary_ group -- it does not add any group
> to any user at all. It just changes the primary group.
> 
> All ACL-checks still work! New files and directories are created with
> this group, so other people accessing the share can open them (if you're
> using group-based permissions).

If you use the acl_xattr VFS object, then you shouldn't use 'force 
group' etc, you should use Windows access control lists (ACL) instead.

Rowland




More information about the samba mailing list